- CATALOG -
Preventing SQL Injection Attacks: A Comprehensive Guide
folder [java sql]   label postgresql   jdbc  

Introduction to SQL Injection

=====================================

SQL injection is a type of security vulnerability that occurs when user input is not properly sanitized or validated, allowing an attacker to inject malicious SQL code into a database. This can lead to unauthorized access, data modification, and even complete control over the database.

In this article, we will explore the concept of SQL injection, its causes, and most importantly, how to prevent it using secure coding practices.

What is SQL Injection?

SQL injection happens when an application uses user input directly in a SQL query without proper validation or sanitization. This allows an attacker to inject malicious SQL code that can manipulate the database, leading to potential security breaches.

Example of SQL Injection

Let’s consider an example where a web application has a login form with a username and password field. The login functionality uses a SQL query like this:

SELECT * FROM users WHERE username = 'username' AND password = 'password';

If the user input is not validated, an attacker can inject malicious SQL code by providing special characters in the username or password field. For instance, if the attacker inputs username' OR 1=1 -- (the -- at the end is a comment delimiter that terminates the SQL statement), the query becomes:

SELECT * FROM users WHERE username = 'username' OR 1=1 --';

This can be executed as follows: If the user input is successfully inserted into the database, the database will execute the OR 1=1 condition and always return results. This allows an attacker to bypass authentication and gain access to sensitive data.

How Does it Happen?

SQL injection typically occurs due to one of the following reasons:

1. Lack of input validation

Most applications use user input directly in SQL queries without proper validation. For instance, a web application might use this code:

String query = "SELECT * FROM users WHERE username = '" + username + "'";

If username contains special characters like ', the resulting SQL query can be manipulated by an attacker.

2. Unescaped user input

Some applications fail to properly escape user input, leading to potential SQL injection vulnerabilities.

String query = "SELECT * FROM users WHERE name = '" + username + "'";

In this case, if username contains special characters like ', the resulting SQL query can be manipulated by an attacker.

3. Using concatenation

If multiple variables are concatenated into a single SQL query without proper validation, it creates opportunities for attackers to manipulate the database.

String query = "SELECT * FROM users WHERE username = '" + username + "' AND password = '" + password + "'";

This allows an attacker to inject malicious SQL code by providing special characters in either username or password.

How to Prevent SQL Injection

1. Use Prepared Statements

Prepared statements are a powerful tool that helps prevent SQL injection attacks.

String input = "abcdefg";
PreparedStatement ps = connection.prepareStatement("SELECT * FROM prepend(?)");
ps.setString(1, String.format("%s", input));

In this example, the input is safely sanitized using String.format() and then inserted into the prepared statement as a parameter. This prevents any special characters from manipulating the SQL query.

2. Use Parameterized Queries

Parameterized queries are another way to prevent SQL injection attacks.

String query = "SELECT * FROM prepend(:name)";
PreparedStatement ps = connection.prepareStatement(query);
ps.setString(1, input);

In this case, placeholders like :name are used in the SQL query instead of the actual user input. When the input is inserted into the prepared statement, it is safely sanitized and replaced with the parameter value.

3. Avoid String Concatenation

String concatenation should be avoided whenever possible to prevent SQL injection attacks. Instead, use safe methods for sanitizing user input.

String query = "SELECT * FROM prepend(";
query += input;
query += ")";

This code is less secure than the previous examples because it does not properly sanitize the input.

Java 8 Streams and SQL Injection

EDIT

Using Java 8 Streams to prevent SQL injection attacks is an interesting approach. While this might seem like a viable solution, it’s not recommended due to its limitations.

Let’s consider an example where we want to retrieve users from the database:

List<String> users = Arrays.asList("John", "Jane");
List<String> result = Arrays.stream(users)
        .map(user -> queryDatabase(user))
        .collect(Collectors.toList());

In this case, we are using a stream to map each user name to the corresponding data retrieved from the database. The problem with this approach is that it does not provide any protection against SQL injection attacks.

If an attacker can manipulate the queryDatabase() method, they can inject malicious SQL code and potentially gain unauthorized access to sensitive data.

Therefore, while Java 8 Streams might seem like a promising solution, it should not be used as the sole means of preventing SQL injection attacks.

Conclusion

SQL injection is a significant security vulnerability that can lead to unauthorized access, data modification, and even complete control over the database. By understanding how SQL injection works and using secure coding practices, we can prevent these types of attacks.

Using prepared statements or parameterized queries is always the best option when working with user input in SQL queries. These methods provide a safe way to sanitize and validate input data, preventing malicious code from manipulating the database.

While alternative approaches like Java 8 Streams might seem appealing, they are not suitable replacements for established security practices.

Last modified on 2025-04-13

Real-World Coding Tutorials
Hugo Theme Diary by Rise
Ported from Makito's Journal.

© 2025 Real-World Coding Tutorials
- CATALOG -